The OAuth service uses scopes to define the permissions granted to an application on behalf of a user who logs on to Alibaba Cloud. This topic describes how to add, delete, and set required OAuth scopes for an application.
Add OAuth scopes
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Enterprise Application tab, click the name of the application whose OAuth scope you want to define.
On the OAuth Scope tab, click Add OAuth Scope.
In the Add OAuth Scope panel, select the scopes that you want to add.
NoteThe aliuid and profile scopes are associated with ID tokens. Other scopes are associated with access tokens. For a list of all supported OAuth scopes, see OAuth application overview.
Click OK.
Delete OAuth scopes
On the OAuth Scope tab, find the OAuth scope that you want to delete and click Delete OAuth Scope in the Actions column.
NoteThe openid scope is a default scope and cannot be deleted.
In the Delete OAuth Scope dialog box, click Delete OAuth Scope.
Set an OAuth scope as required
After you add OAuth scopes, you can set a scope as required or remove its "required" status. When you set a scope as required, it is selected by default and the user cannot deselect it when granting permissions on the application.
Set a scope as required
In the OAuth scope list, find the desired scope and click Set as Required in the Actions column.
Ensure your application requires this authorization. Your application is responsible for protecting user data and must use all granted data and permissions lawfully and compliantly.
Cancel the required status of a scope
In the OAuth scope list, find the desired scope and click Cancel Required in the Actions column.